SonicPoint Virtual Access Point

Configuring Virtual Access PointsSonicPoint_wlanSonicVapView
Page 1 of 15
Configuring Virtual Access Points

SonicPoint_wlanSonicVapView
SonicPoint > Virtual Access Point

This chapter describes the Virtual Access Point feature and includes the following sections: SonicPoint VAP Overview section Prerequisites section Deplo !ent "estrictions section SonicPoint Virtual AP #onfiguration Tas$ %ist section Thin$ing #riticall About VAPs section VAP Sa!ple #onfigurations section
SonicPoint VAP Overview

This section provides an introduction to the Virtual Access Point feature& This section contains the following subsections: 'hat (s a Virtual Access Point) section 'hat (s an SS(D) section 'ireless "oa!ing with *SS(D section 'hat (s a +SS(D) section +enefits of ,sing Virtual APs section +enefits of ,sing Virtual APs with V%A-s section
What Is a Virtual Access Point?

A Virtual Access Point is a !ultiple.ed instantiation of a single ph sical Access Point /AP0 so that it presents itself as !ultiple discrete Access Points& To wireless %A- clients1 each Virtual AP appears to be an independent ph sical AP1 when in actualit there is onl a single ph sical AP& +efore the evolution of the Virtual AP feature support1 wireless networ$s were relegated to a One2to2One relationship between ph sical Access Points and wireless networ$ securit characteristics1 such as authentication and encr ption& (n other words1 an Access Point providing 'PA2PS3 securit could not si!ultaneousl offer Open or 'PA2*AP connectivit to clients1 and if the latter were required1 the would had to have been provided b a separate1 distinctl configured Access Points& This forced '%A- networ$ ad!inistrators to find a solution to scale their e.isting wireless %A- infrastructure to provide differentiated levels of service& 'ith the Virtual APs /VAP0 feature1 !ultiple VAPs can e.ist within a single ph sical AP in co!pliance with the (*** 456&77 standard for the !edia access control /8A#0 protocol la er that includes a unique +asic Service Set (dentifier /+SS(D0 and Service Set (dentified /SS(D0& This allows for seg!enting wireless networ$ services within a single radio frequenc footprint of a single ph sical access point device& VAPs allow the networ$ ad!inistrator to control wireless user access and securit settings b setting up !ultiple custo! configurations on a single ph sical interface& *ach of these custo! configurations acts as a separate /virtual0 access point1 and can be grouped and enforced on single or !ultiple ph sical SonicPoint access points si!ultaneousl &
http://help. !sonicwall.co /sw/eng/5"05/ui2/25201/SonicPoint_wlanSonicVapView....
2/24/2014
Page 2 of 15
For more information on SonicOS Secure Wireless features, refer to the SonicWALL Secure Wireless Integrated Solutions Guide.
What Is an SSID?
A Service Set IDentifier (SSID) is the name assigned to a wireless network. Wireless clients must use this same, case sensitive SSID to communicate to the Sonic!oint. "he SSID consists of a te#t string u$ to %& '(tes long. )ulti$le Sonic!oints on a network can use the same SSIDs. *ou can configure u$ to + uni,ue SSIDs on Sonic!oints and assign different configuration settings to each SSID. Sonic!oints 'roadcast a 'eacon (announcements of availa'ilit( of a wireless network) for ever( SSID configured. -( default, the SSID is included within the 'eacon so that wireless clients can see the wireless networks. "he o$tion to su$$ress the SSID within the 'eacon is $rovided on a $er SSID (e.g. $er .A! or $er A!) 'asis to hel$ conceal the $resence of a wireless network, while still allowing clients to connect '( manuall( s$ecif(ing the SSID. "he following settings can 'e assigned to each .A!/ Authentication method .0A1 )a#imum num'er of client associations using the SSID SSID Su$$ression
Wireless Roaming with ESSID

An 2SSID (2#tended Service Set IDentifier) is a collection of Access !oints (or .irtual Access !oints) sharing the same SSID. A t($ical wireless network com$rises more than one A! for the $ur$ose of covering geogra$hic areas larger than can 'e serviced '( a single A!. As clients move through the wireless network, the strength of their wireless connection decreases as the( move awa( from one Access !oint (A!3) and increases as the( move toward another (A!&). !roviding A!3 and A!& are on the same 2SSID (for e#am$le, 4sonicwall5) and that the (.)A!s share the same SSID and securit( configurations, the client will 'e a'le to roam from one to the other. "his roaming $rocess is controlled '( the wireless client hardware and driver, so roaming 'ehavior can differ from one client to the ne#t, 'ut it is generall( de$endent u$on the signal strength of each A! within an 2SSID.
2/24/2014
Page 3 of 15
What Is a BSSID?
A BSSID (Basic Service Set IDentifier) is the wireless equivalent of a MAC (Media Access Control) address, or a unique hardware address of an AP or VAP for the purposes of identification Continuin! the e"a#ple of the roa#in! wireless client fro# the $SSID section a%ove, as the client on the &sonicwall' $SSID #oves awa( fro# AP) and toward AP*, the stren!th of the si!nal fro# the for#er will decrease while the latter increases +he client's wireless card and driver constantl( #onitors these levels, differentiatin! %etween the (V)APs %( their BSSID ,hen the card-driver's criteria for roa#in! are #et, the client will detach fro# the BSSID of AP) and attach to the BSSID or AP*, all the while re#ainin! connected the &sonicwall' $SSID
Benefits of
sing Virtual APs
+his section includes a list of %enefits in usin! the Virtual AP feature. Radio Channel Conservation/Prevents %uildin! overlapped infrastructures %( allowin! a sin!le Ph(sical Access Point to %e used for #ultiple purposes to avoid channel collision pro%le# Channel conservation Multiple providers are %eco#in! the nor# within pu%lic spaces such as airports ,ithin an airport, it #i!ht %e necessar( to support an 0AA networ1, one or #ore airline networ1s, and perhaps one or #ore ,ireless ISPs 2owever, in the 3S and $urope, 45* ))% networ1s can onl( support three usa%le (non6overlappin!) channels, and in 0rance and 7apan onl( one channel is availa%le 8nce the channels are utili9ed %( e"istin! APs, additional APs will interfere with each other and reduce perfor#ance B( allowin! a sin!le networ1 to %e used for #ultiple purposes, Virtual APs conserve channels Optimize SonicPoint LAN Infrastructure/Share the sa#e SonicPoint :A; infrastructure a#on! #ultiple providers, rather than %uildin! an overlappin! infrastructure, to lower down the capital e"penditure for installation and #aintenance of (our ,:A;s
Benefits of
sing Virtual APs with V!A"s
Althou!h the i#ple#entation of VAPs does not require the use of V:A;s, V:A; use does provide practical traffic differentiation %enefits ,hen not usin! V:A;s, the traffic fro# each VAP is handled %( a co##on interface on the Sonic,A:: securit( appliance +his #eans that all traffic fro# each VAP will %elon! to the sa#e 9one and sa#e su%net (0ootnote. a future version of Sonic8S $nhanced will allow for traffic fro# different VAPs to e"ist on different su%nets within the sa#e 9one, providin! a #easure of traffic differentiation even without V:A; ta!!in!) B( ta!!in! the traffic fro# each VAP with a unique V:A; ID, and %( creatin! the correspondin! su%interfaces on the Sonic,A:: securit( appliance, it is possi%le to have each VAP occup( a unique su%net, and to assi!n each su%interface to its own 9one +his affords the followin! %enefits. $ach VAP can have its own securit( services settin!s (e ! <AV, IPS, C0S, etc ) +raffic fro# each VAP can %e easil( controlled usin! Access =ules confi!ured fro# the 9one level Separate ,ireless <uest Services (,<S) or :i!htwei!ht 2otspot Messa!in! (:2M) confi!urations can %e applied to each, facilitatin! the presentation of #ultiple !uest service providers with a co##on set of SonicPoint hardware Bandwidth #ana!e#ent and other Access =ule6%ased controls can easil( %e applied
Prere#uisites
$ach Sonic,A:: SonicPoint #ust %e e"plicitl( ena%led for Virtual Access Point support %( selectin! the SonicPoint > SonicPoints > General Settin s !a". >$na%le SonicPoint? chec1%o" in the Sonic8S #ana!e#ent interface and ena%lin! either =adio A or < SonicPoints #ust %e lin1ed to a ,:A; 9one on (our Sonic,A:: 3+M appliance in order for provisionin! of APs to ta1e place ,hen usin! VAPs with V:A;s, (ou #ust ensure that the ph(sical SonicPoint discover( and provisionin! pac1ets re#ain unta!!ed (unless %ein! ter#inated nativel( into a V:A; su%interface on the Sonic,A::) @ou #ust also ensure that VAP pac1ets that are V:A; ta!!ed %( the SonicPoint are delivered unaltered (neither un6encapsulated nor dou%le6encapsulated) %( an( inter#ediate equip#ent, such as a V:A; capa%le switch, on the networ1
De$lo%ment Restrictions
,hen confi!urin! (our VAP setup, %e aware of the followin! deplo(#ent restrictions. Ma"i#u# SonicPoint restrictions appl( and differ %ased on (our Sonic,A:: securit( appliance =eview these restrictions in the >Custo# V:A; Settin!s? section
http://help !"sonicwall co!/sw/eng/5#05/ui2/25201/SonicPoint_wlanSonicVapView
2/24/2014
Page 4 of 15
SonicPoint Virtual AP &onfiguration 'as()!ist

A SonicPoint VAP deployment requires several steps to configure. The following section provides first a brief overview of the steps involved, and then a more in-depth e amination of the parts that ma!e up a successful VAP deployment. This subsequent sections describe VAP deployment requirements and provides an administrator configuration tas! list" #SonicPoint VAP $onfiguration %verview& section #'etwor! (ones& section #V)A' Subinterfaces& section #*+$P Server Scope& section #Sonic Point Provisioning Profiles& section #Thin!ing $ritically About VAPs& section #*eploying VAPs to a SonicPoint& section
SonicPoint VAP &onfiguration Overview

The following are required areas of configuration for VAP deployment" Step 1 Zone - The ,one is the bac!bone of your VAP configuration. -ach ,one you create will have its own security and access control settings and you can create and apply multiple ,ones to a single physical interface by way of V)A' subinterfaces. Step 2 Interface (or VLAN Subinterface) - The .nterface /01, 02, etc...3 represents the physical connection between your Sonic4A)) 5T6 appliance and your SonicPoint/s3. 7our individual ,one settings are applied to these interfaces and then forwarded to your SonicPoints. Step 3 DHCP Server - The *+$P server assigns leased .P addresses to users within specified ranges, !nown as #Scopes&. The default ranges for *+$P scopes are often e cessive for the needs of most SonicPoint deployments, for instance, a scope of 188 addresses for an interface that will only use 28. 9ecause of this, *+$P ranges must be set carefully in order to ensure the available lease scope is not e hausted. Step VAP Profi!e - The VAP Profile feature allows for creation of SonicPoint configuration profiles which can be easily applied to new SonicPoint Virtual Access Points as needed. Step " VAP #b$ect% - The VAP %b:ects feature allows for setup of general VAP settings. SS.* and V)A' .* are configured through VAP Settings. Step & VAP 'roup% - The VAP ;roup feature allows for grouping of multiple VAP ob:ects to be simultaneously applied to your SonicPoint/s3. Step ( A%%i)n VAP 'roup to SonicPoint Provi%ionin) Profi!e *a+io- The Provisioning Profile allows a VAP ;roup to be applied to new SonicPoints as they are provisioned. Step , A%%i)n -.P /e0 (for -.P encr0ption on!0) - The Assign 4-P <ey allows for a 4-P -ncryption <ey to be applied to new SonicPoints as they are provisioned. 4-P !eys are configured perSonicPoint, meaning that any 4-P-enabled VAPs assigned to a SonicPoint must use the same set of 4-P !eys. 5p to = !eys can be defined per-SonicPoint, and 4-P-enabled VAPs can use these = !eys independently. 4-P !eys are configured on individual SonicPoints or on SonicPoint Profiles from the SonicPoint > SonicPoints page.
2/24/2014
Page 5 of 15
"etwor( *ones
This section contains the following subsections" #The 4ireless (one& section #$ustom 4ireless (one Settings& section
A networ! security ,one is a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one ,one to another ,one. 4ith the ,one-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface. 'etwor! ,ones are configured from the Network > Zones page.
?or detailed information on configuring ,ones, see Chapter 18, Network > Zones.
'he Wireless *one

The 4ireless ,one type, of which the #4)A' (one& is the default instance, provides support to Sonic4A)) SonicPoints. 4hen an interface or subinterface is assigned to a 4ireless ,one, the interface can discover and provision )ayer 1 connected SonicPoints, and can also enforce security settings above the @81.AA layer, including 4i?iSec -nforcement, SS) VP' redirection, 4ireless ;uest Services, )ightweight +otspot 6essaging and all licensed *eep Pac!et .nspection security services. Note SonicPoints can only be managed using untagged, non-VLAN packets !"en setting up your !LAN, ensure t"at packets sent to t"e SonicPoints are non VLAN tagged
&ustom Wireless *one Settings
2/24/2014
Page 6 of 15
Although SonicWALL provides the pre-configured Wireless zone, administrators also have the ability to create their own custom wireless zones. When using VA s, several custom zones can be applied to a single, or multiple Sonic oint access points. !he following three sections describe settings for custom wireless zones" #$eneral% section #Wireless% section #$uest Services% section
General
Feature &ame Security !ype Allow (nterface !rust
Description 'reate a name for your custom zone Select Wireless in order to enable and access wireless security options. Select this option to automatically create access rules to allow traffic to flow between the interfaces of a zone. !his will effectively allow users on a wireless zone to communicate with each other. !his option is often disabled when setting up Wireless $uest Services )W$S*. Select the security services you wish to enforce on this zone. !his allows you to e+tend your SonicWALL ,!- security services to your Sonic oints.
SonicWALL Security Services
Wireless
Feature .nly allow traffic generated by a Sonic oint SSL V & 0nforcement
Description /estricts traffic on this zone to Sonic oint-generated traffic only.
/edirects all traffic entering the Wireless zone to a defined SonicWALL SSL V & appliance. !his allows all wireless traffic to be authenticated and encrypted by the SSL V &, using, for e+ample, &et0+tender to tunnel all traffic. &ote" Wireless traffic that is tunneled through an SSL V & will appear to originate from the SSL V & rather than from the Wireless zone. SSL VPN Server - Select the Address .b1ect representing the SSL V & appliance to which you wish to redirect wireless traffic.
Wi2iSec 0nforcement
/e3uires all traffic be either ( sec or W A. With this option chec4ed, all non-guest connections must be ( sec enforced. WiFiSec Exception Service - Select the service)s* you wish to be e+empt from Wi2iSec 0nforcement.
/e3uire Wi2iSec for Site-to-site V & !unnel !raversal !rust W A5W A6 traffic as Wi2iSec Sonic oint rovisioning rofile
2or use with Wi2iSec enforcement, re3uires Wi2iSec security on all site-tosite V & connections through this zone. Allows W A or W A6 to be used as an alternative to Wi2iSec. Select a predefined Sonic oint rovisioning rofile to be applied to all current and future Sonic oints on this zone.
Guest Services
!he Enable Wireless Guest Services option allows the following guest services to be applied to a zone"
2/24/2014
Page 7 of 15
Feature Enable inter-guest communication Bypass AV Chec !or "uests Enable #ynamic Address $ranslation %#A$&
Description Allows guests connecting to SonicPoints in this Wireless zone to communicate directly and wirelessly with each other. Allows guest tra!!ic to bypass Anti-Virus protection #ynamic Address $ranslation %#A$& allows the SonicPoint to support any 'P addressing scheme !or W"S users. '! this option is disabled %unchec ed&( wireless guest users must either ha)e #*CP enabled( or an 'P addressing scheme compatible with the SonicPoint+s networ settings.
Enable E,ternal "uest Authentication Custom Authentication Page Post Authentication Page Bypass "uest Authentication
-e.uires guests connecting !rom the de)ice or networ you select to authenticate be!ore gaining access. $his !eature( based on /ightweight *otspot 0essaging %/*0& is used !or authenticating *otspot users and pro)iding them parametrically bound networ access. -edirects users to a custom authentication page when they !irst connect to a SonicPoint in the Wireless zone. Clic Con!igure to set up the custom authentication page. Enter either a 1-/ to an authentication page or a custom challenge statement in the te,t !ield( and clic 23. #irects users to the page you speci!y immediately a!ter success!ul authentication. Enter a 1-/ !or the post-authentication page in the !iled. Allows a SonicPoint running W"S to integrate into en)ironments already using some !orm o! user-le)el authentication. $his !eature automates the W"S authentication process( allowing wireless users to reach W"S resources without re.uiring authentication. $his !eature should only be used when unrestricted W"S access is desired( or when another de)ice upstream o! the SonicPoint is en!orcing authentication. -edirects S0$P tra!!ic incoming on this zone to an S0$P ser)er you speci!y. Select the address ob4ect to redirect tra!!ic to. Bloc s tra!!ic !rom the networ s you speci!y. Select the subnet( address group( or 'P address to bloc tra!!ic !rom. Automatically allows tra!!ic through the Wireless zone !rom the networ s you select. Speci!ies the ma,imum number o! guest users allowed to connect to the Wireless zone. $he de!ault is 67.
-edirect S0$P tra!!ic to #eny 5etwor s Pass 5etwor s 0a, "uests
VLAN Subinterfaces
A Virtual /ocal Area 5etwor %V/A5& allows you to split your physical networ connections %89( 8:( etc...& into many )irtual networ connection( each carrying its own set o! con!igurations. $he V/A5 solution allows each VAP to ha)e its own separate subinter!ace on an actual physical inter!ace. V/A5 subinter!aces ha)e most o! the capabilities and characteristics o! a physical inter!ace( including zone assignability( security ser)ices( WA5 assignability %static addressing only&( "roupVP5( #*CP ser)er( 'P *elper( routing( and !ull 5A$ policy and Access -ule controls. ;eatures e,cluded !rom V/A5 subinter!aces at this time are VP5 policy binding( WA5 dynamic client support( and multicast support. V/A5 subinter!aces are con!igured !rom the Network > Interfaces page.
Custom VLAN Settings

$he table below lists con!iguration parameters and descriptions !or V/A5 subinter!aces<
Feature =one
Description Select a zone to inherit zone settings !rom a prede!ined or custom user-de!ined zone.
2/24/2014
Page # of 15
VLAN Tag Parent Interface IP #onfiguration Sonic Point Li(it
Specify the VLAN ID for this subinterface. Select a physical parent interface (X2 X! etc..." for the VLAN. #reate an IP a$$ress an$ Subnet %as& in accor$ance 'ith your net'or& configuration. Select the (a)i(u( nu(ber of SonicPoints to be use$ on this interface. *elo' are the (a)i(u( nu(ber of SonicPoints per interface base$ on your Sonic+ALL ,T% har$'are-
%anage(ent Protocols Login Protocols
Select the protocols you 'ish to use 'hen (anaging this interface. Select the protocols you 'ill (a&e a.ailable to clients 'ho access this subinterface.
DHCP Server Scope

The D/#P ser.er assigns lease$ IP a$$resses to users 'ithin specifie$ ranges &no'n as 0Scopes1. The $efault ranges for D/#P scopes are often e)cessi.e for the nee$s of (ost SonicPoint $eploy(ents for instance a scope of 222 a$$resses for an interface that 'ill only use !2. *ecause of this D/#P ranges (ust be set carefully in or$er to ensure the a.ailable lease scope is not e)hauste$. The D/#P scope shoul$ be resi3e$ as each interface4subinterface is $efine$ to ensure that a$e5uate D/#P space re(ains for all subse5uently $efine$ interfaces. 6ailure to $o so (ay cause the auto7creation of subse5uent D/#P scopes to fail re5uiring (anual creation after perfor(ing the re5uisite scope resi3ing. D/#P Ser.er Scope is set fro( the Network > DHCP Server page. The table belo' sho's (a)i(u( allo'e$ D/#P leases for Sonic+ALL security appliances.
Platform NSA !822 NSA :822 ;8822 ;<822 ;=822
Maximum DHCP Leases 9 22: leases : 2>< leases
Virtual Access Points Profiles

A Virtual Access Point Profile allo's the a$(inistrator to pre7configure an$ sa.e access point settings in a profile. VAP Profiles allo's settings to be easily applie$ to ne' Virtual Access Points. Virtual Access Point Profiles are configure$ fro( the SonicPoint > Virtual Access Point page.
Virtual Access Point Profile Settings

The table belo' lists configuration para(eters an$ $escriptions for Virtual Access Point Profile Settings-
Feature Na(e
Description #hoose a frien$ly na(e for this VAP Profile. #hoose so(ething $escripti.e an$ easy to re(e(ber as you 'ill later apply this profile to ne' VAPs. Set to SonicPoint by $efault. ?etain this $efault setting if using SonicPoints as VAPs (currently the only supporte$ ra$io type" *elo' is a list a.ailable authentication types 'ith $escripti.e features an$ uses for each-
Type
Authentication Type
2/24/2014
Page 9 of 15
WEP Lower security For use with older legacy devices, PDAs, wireless printers WPA Good security (uses TK P! For use with trusted corporate wireless clients Transparent authentication with Windows log"in #o client so$tware needed in %ost cases WPA& 'est security (uses AE(! For use with trusted corporate wireless clients Transparent authentication with Windows log"in )lient so$tware install %ay *e necessary in so%e cases (upports +,&-..i /Fast 0oa%ing1 $eature #o *ac2end authentication needed a$ter $irst log"in (allows $or $aster roa%ing! WPA&"A3T4 Tries to connect using WPA& security, i$ the client is not WPA& capa*le, the connection will de$ault to WPA3nicast )ipher 5ulticast )ipher 5a6i%u% )lients The unicast cipher will *e auto%atically chosen *ased on the authentication typeThe %ulticast cipher will *e auto%atically chosen *ased on the authentication type)hoose the %a6i%u% nu%*er o$ concurrent client connections per%issi*le $or this virtual access point-
WPA-PSK WPA!-PSK "ncr#ption Settings

Pre"(hared Key (P(K! is availa*le when using WPA or WPA&- This solution utili7es a shared 2ey-
Feature Pass Phrase Group Key nterval
Description The shared passphrase users will enter when connecting with P(K" *ased authenticationThe ti%e period (in seconds! during which the WPA8WPA& group 2ey is en$orced to *e updated-
WPA-"AP WPA!-"AP "ncr#ption Settings

E6tensi*le Authentication Protocol (EAP! is availa*le when using WPA or WPA&- This solution utili7es an e6ternal +,&-.68EAP capa*le 0AD 3( server $or 2ey generation-
Feature 0AD 3( (erver . 0AD 3( (erver . Port
Description The na%e8location o$ your 0AD 3( authentication server The port on which your 0AD 3( authentication server co%%unicates with clients and networ2 devices-
2/24/2014
Page 10 of 15
0AD 3( (erver . (ecret 0AD 3( (erver & 0AD 3( (erver & Port 0AD 3( (erver & (ecret Group Key nterval
The secret passcode $or your 0AD 3( authentication server The na%e8location o$ your *ac2up 0AD 3( authentication server The port on which your *ac2up 0AD 3( authentication server co%%unicates with clients and networ2 devicesThe secret passcode $or your *ac2up 0AD 3( authentication server The ti%e period (in seconds! during which the WPA8WPA& group 2ey is en$orced to *e updated-
S$are% &ot$ 'W"P( "ncr#ption Settings

WEP is provided $or use with legacy devices that do not support the newer WPA8WPA& encryption %ethodsThis solution utili7es a shared 2ey-
Feature Encryption Key
Description (elect the 2ey to use $or WEP connections to this 9AP- WEP encryption 2eys are con$igured in the SonicPoint > SonicPoints page under SonicPoint Provisioning Profiles-
Virtual Access Points

The 9AP (ettings $eature allows $or setup o$ general 9AP settings- (( D and 9LA# D are con$igured through 9AP (ettings- 9irtual Access Points are con$igured $ro% the SonicPoint > Virtual Access Point page-
General VAP Settings
Feature (( D 9LA# D
Description )reate a $riendly na%e $or your 9APWhen using plat$or%s that support 9LA#, you %ay optionally select a 9LA# D to associate this 9AP with- (ettings $or this 9AP will *e inherited $ro% the 9LA# you selectEna*les this 9AP(uppresses *roadcasting o$ the (( D na%e and disa*les responses to pro*e re:uests- )hec2 this option i$ you do not wish $or your (( D to *e seen *y unauthori7ed wireless clients-
Ena*le 9irtual Access Point Ena*le (( D (uppress
A%vance% VAP Settings

Advanced settings allows the ad%inistrator to con$igure authentication and encryption settings $or this connection- )hoose a Profile Name to inherit these settings $ro% a user created pro$ile- (ee /9irtual Access Points Pro$iles1 section $or co%plete authentication and encryption con$iguration in$or%ation-
Virtual Access Point Groups

The 9AP Group $eature allows $or grouping o$ %ultiple 9AP o*;ects to *e si%ultaneously applied to your (onicPoint(s!- 9irtual Access Point Groups are con$igured $ro% the SonicPoint > Virtual Access Point page-
2/24/2014
Page 11 of 15
Sonic Point Provisioning Profiles

SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4G ! and "G ! radios, SS#D$s, and channels of operation. %nce you have defined a SonicPoint profile, you can apply it to a Wireless !one. &ach Wireless !one can be configured 'ith one SonicPoint profile. Any profile can apply to any number of !ones. (hen, 'hen a SonicPoint is connected to a !one, it is automatically provisioned 'ith the profile assigned to that !one. Sonic%S includes a default SonicPoint profile, named SonicPoint. )ou can modify this profile or create a ne' one. (he default SonicPoint profile has the follo'ing settings*
802.11a Radio &nable +,2.--a .adio SS#D .adio 1ode 2hannel A20 &nforcement Authentication (ype Schedule #DS Scan Data .ate Antenna Diversity )es / Al'ays on SonicWA00 "41bps / +,2.--a Auto2hannel Disabled W&P / 3oth %pen System 4 Shared 5ey Disabled 3est 3est
802.11g Radio &nable +,2.--g .adio SS#D .adio 1ode 2hannel A20 &nforcement Authentication (ype Schedule #DS Scan Data .ate Antenna Diversity )es / Al'ays on SonicWA00 2.4 G ! "41bps / +,2.--g Auto2hannel Disabled W&P / 3oth %pen System 4 Shared 5ey Disabled 3est 3est
Thinking Critically About VAPs

(his section provides content to help determine 'hat your 6AP re7uirements are and ho' to apply these re7uirements to a useful 6AP configuration. (his section contains the follo'ing subsections* 8Determining )our 6AP 9eeds: section 8A Sample 9et'or;: section 8Determining Security 2onfigurations: section 86AP 2onfiguration Wor;sheet: section
Determining Your VAP Needs

When deciding ho' to configure your 6APs, begin by considering your communication needs, particularly* o' many different classes of 'ireless users do # need to support< o' do # 'ant to secure these different classes of 'ireless users< Do my 'ireless client have the re7uired hard'are and drivers to support the chosen security settings< What net'or; resources do my 'ireless users need to communicate 'ith< Do any of these 'ireless users need to communicate 'ith other 'ireless users< What security services do # 'ish to apply to each of these classes or 'ireless users<
A Sample Net ork
2/24/2014
Page 12 of 15
The following is a sample VAP network configuration, describing four separate VAPs: VAP #1, Corporate Wireless Users A set of users who are commonly in the office, and to whom should be given full access to all network resources, providing that the connection is authenticated and secure. These users already belong to the network s !irectory "ervice, #icrosoft Active !irectory, which provides an $AP interface through %A" %nternet Authentication "ervices. VAP#2, Legacy Wireless Devices A collection of older wireless devices, such as printers, P!As and handheld devices, that are only capable of &$P encryption. VAP#3, Visiting Partners 'usiness partners, clients, and affiliated who fre(uently visit the office, and who need access to a limited set of trusted network resources, as well as the %nternet. These users are not located in the company s !irectory "ervices. VAP# 4, G est Users Visiting clients to whom you wish to provide access only to untrusted )e.g. %nternet* network resources. "ome guest users will be provided a simple, temporary username and password for access. VAP#!, "re# ent G est Users "ame as +uest ,sers, however, these users will have more permanent guest accounts through a back-end database.
Determining Security Configurations

,nderstanding these re(uirements, you can then define the .ones )and interfaces* and VAPs that will provide wireless services to these users: Corp Wireless /ighly trusted wireless .one. $mploys &PA0-A,T1-$AP security. &i2i"ec )&PA* $nforced. W$P % P&' #oderate trust wireless .one. 3omprises two virtual APs and subinterfaces, one for legacy &$P devices )e.g. wireless printers, older handheld devices* and one for visiting clients who will use &PA-P"4 security. WG& &ireless +uest "ervices .one, using the internal &+" user database. L() 5ightweight /otspot #essaging enabled .one, configured to use e6ternal 5/# authenticationback-end server.
VAP Configuration !orksheet

The worksheet below provides some common VAP setup (uestions and solutions along with a space for you to record your own configurations.
* estions /ow many different types of users will % need to support7
$+a,ples 3orporate wireless, guest access, visiting partners, wireless devices are all common user types, each re(uiring their own VAP 9our 3onfigurations:
&ol tions Plan out the number of different VAPs needed. 3onfigure a .one and V5A8 for each VAP needed
/ow many users will each VAP need to support7
A corporate campus has :;; employees, all of whom have wireless capabilities A corporate campus often has a few do.en wireless capable visitors 9our 3onfigurations:
The !/3P scope for the visitor .one is set to provide at least :;; addresses The !/3P scope for the visitor .one is set to provide at least 0< addresses
3onfigure &PA0-$AP
2/24/2014
Page 13 of 15
How do I want to secure different wireless users?
A corporate user who has access to corporate LAN resources. A guest user who is restricted to only Internet access A legacy wireless printer on the corporate LAN #our onfigurations$ Enable WGS but configure no security settings onfigure WE! and enable "A address filtering
What networ% resources do &y users need to co&&unicate with?
A corporate user who needs access to the corporate LAN and all internal LAN resources' including other WLAN users. A wireless guest who needs to access InternetInternet and should not be allowed to co&&unicate with other WLAN users. #our onfigurations$
Enable Interface (rust on your corporate )one. *isable Interface (rust on your guest )one.
What security ser+ices to I wish to apply to &y users?
orporate users who you want protected by the full SonicWALL security suite. Guest users who you do not gi+e a hoot about since they are not e+en on your LAN. #our onfigurations$
Enable all SonicWALL security ser+ices. *isable all SonicWALL security ser+ices.
VAP Sample Configurations

(his section pro+ides configuration e,a&ples based on real-world wireless needs. (his section contains the following subsections$ . onfiguring a /A! for Guest Access0 section . onfiguring a /A! for orporate LAN Access0 section .*eploying /A!s to a Sonic!oint0 section
Configuring a VAP for "uest Access

#ou can use a Guest Access /A! for +isiting clients to who& you wish to pro+ide access only to untrusted 1e.g. Internet2 networ% resources. Guest users will be pro+ided a si&ple' te&porary userna&e and password for access. "ore ad+anced configurations also offer &ore per&anent guest accounts' +erified through a bac%-end database. (his section contains the following subsection$ . . . . onfiguring a 3one0 section reating a Wireless LAN 1WLAN2 Interface0 section reating a /LAN Subinterface on the WLAN0 section onfiguring *H ! I! 4anges0 section
2/24/2014
Page 14 of 15
. reating the Sonic!oint /A!0 section
Configuring a #one
In this section you will create and configure a new wireless )one with guest login capabilities. Step 1 Log into the &anage&ent interface of your SonicWALL 5(" appliance. Step 2 In the left-hand &enu' na+igate to the Network > Zones page. Step 3 lic% the Add... button to add a new )one.
"eneral Settings Tab

Step 1 In the General tab' enter a friendly na&e such as ./A!-Guest0 in the Name field. Step 2 Select Wireless fro& the Security Type drop-down &enu. Step 3 *e-select the Allow nter!ace Trust chec%bo, to disallow co&&unication between wireless guests.
!ireless Settings Tab

Step 1 In the Wireless tab' chec% the "nly allow tra!!ic #enerated $y a Sonic%oint chec%bo,. Step 2 5nchec% all other options in this tab. Step 3 Select a pro+isioning profile fro& the Sonic%oint %ro&isionin# %ro!ile drop-down &enu 1if applicable2.
"uest Services Tab

Step 1 In the Guest Ser&ices tab' chec% the 'na$le Wireless Guest Ser&ices chec%bo,. Note In the following example, steps 2 through 7 are optional, they only represent a typical guest VAP configuration using wireless guest services. Steps 2 and 7, however, are recommended. Step 2 hec% the 'na$le (ynamic Address Translation )(AT* chec%bo, to allow guest users full co&&unication with addresses outside the local networ%. Step 3 hec% the +ustom Aut,entication %a#e chec%bo, and clic% the +on!i#ure button to configure a custo& header and footer for your guest login page. Step lic% the ". button to sa+e these changes. Step / hec% the %ost Aut,entication %a#e chec%bo, and enter a 54L to redirect wireless guests to after login. Step 0 hec% the %ass Networks chec%bo, to configure a website 1such as your corporate site2 that you wish to allow access to without logging in to guest ser+ices. Step 1 Enter the &a,i&u& nu&ber of guests this /A! will support in the 2a3 Guests field. Step 4 lic% the ". button to sa+e these changes. #our new )one now appears at the botto& of the Network > Zones page' although you &ay notice it is not yet lin%ed to a "e&ber Interface. (his is your ne,t step.
Creating a !ireless $AN %!$AN& 'nterface

In this section you will configure one of your ports to act as a WLAN. If you already ha+e a WLAN configured' s%ip to the . reating a Wireless LAN 1WLAN2 Interface0 section. Step 1 In the Network > nter!aces page' clic% the +on!i#ure icon corresponding to the interface you wish to use as a WLAN. (he Interface Settings screen displays. Step 2 Select W5AN fro& the Zone drop-down list. Step 3 Enter the desired % Address for this interface. Step - In the Sonic%oint 5imit drop-down &enu' select a li&it for the nu&ber of Sonic!oints. (his defines the total nu&ber of Sonic!oints your WLAN interface will support. Note he maximum num!er of SonicPoints depends on your platform. "efer to the #$ustom V%A& Settings' section to view the maximum num!er of SonicPoints for your platform. Step / lic% the ". button to sa+e changes to this interface. #our WLAN interface now appears in the nter!ace Settin#s list.
Creating a V$AN Subinterface on the !$AN
2/24/2014
Page 15 of 15
In this section you will create and configure a new VLAN subinterface on your current WLAN. This VLAN will be linked to the zone you created in the Configuring a one! section. Step 1 In the Network > Interfaces "age# click the Add Interface button. Step 2 In the Zone dro"$down %enu# select the zone you created in Configuring a one. In this case# we ha&e chosen VAP-Guest. Step 3 'nter a VLAN Ta for this interface. This nu%ber allows the (onic)oint*s+ to identify which traffic belongs to the VA)$,uest! VLAN. -ou should choose a nu%ber based on an organized sche%e. In this case# we choose 2!! as our tag for the VA)$,uest VLAN. Step " In the Parent Interface dro"$down %enu# select the interface that your (onic)oint*s+ are "hysically connected to. In this case# we are using #2# which is our WLAN interface. Step $ 'nter the desired IP Address for this subinterface. Step % (elect a li%it for the nu%ber of (onic)oints fro% the Son&cPo&nt L&'&t dro"$down %enu. This defines the total nu%ber of (onic)oints your VLAN will su""ort. Step ( ."tionally# you %ay add a co%%ent about this subinterface in the )o''ent field. Step * Click the +, button to add this subinterface. -our VLAN subinterface now a""ears in the Interface Sett&n s list.
Configuring D(CP 'P )anges

/ecause the nu%ber of a&ailable 01C) leases &ary based on your "latfor%# the 01C) sco"e should be resized as each interface2subinterface is defined to ensure that ade3uate 01C) s"ace re%ains for all subse3uently defined interfaces. To &iew the %a4i%u% nu%ber of 01C) leases for your (onicWALL security a""liance# refer to the 01C) (er&er (co"e! section. Step 1 In the left$hand %enu# na&igate to the Network > -.)P Ser/er "age. Step 2 Locate the interface you 5ust created# in our case this is the 678V799 *&irtual interface 799 on the "hysical 67 interface+ interface. Click the )onf& ure icon corres"onding to the desired interface. Note If the interface you created does not appear on the &etwor( ) *+$P Server page, it is possi!le that you have already exceeded the num!er of allowed *+$P leases for your Sonic,A%%. -or more information on *+$P lease exhaustion, refer to the #*+$P Server Scope' section. Step 3 'dit the 0an e Start and 0an e 1nd fields to %eet your de"loy%ent needs Step " Click the +, button to sa&e these changes. -our new 01C) lease sco"e now a""ears in the 01C) (er&er Lease (co"es list.
2/24/2014

SonicPoint Virtual Access Point

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

SonicPoint Virtual Access Point

Caricato da

Copyright:

Formati disponibili

Configuring Virtual Access PointsSonicPoint_wlanSonicVapView

Configuring Virtual Access Points